Communications Litigation Today was a Warren News publication.
17M Customers Affected

LoanDepot Customers' Personal Information Was Unencrypted, Says Complaint

LoanDepot has made little information available regarding the data breach it announced in a Jan. 8 SEC filing, said a complaint Monday (docket 8:24-cv-00194) in U.S. District Court for Central California in Santa Ana.

Following the breach, loanDepot’s website, including customer portals, “appeared to be non-functional” with an error message directing customers looking to make a payment “to call or mail in their payment instead,” the complaint said.

In a Jan. 22 update on the incident, the mortgage lender said it was working with outside forensics and security experts “to investigate the incident and restore normal operations as quickly as possible," working to understand the extent of the incident, taking steps to "minimize its impact,” and working with law enforcement as part of the investigation. Some 16.6 million individuals were affected, said a news release.

The “unencrypted sensitive personal information” of plaintiff Maria Sullivan of Tacoma, Washington, and members of the class action was “reasonably believed to have been acquired by an 'unauthorized person'" during the breach, the complaint said. That information is believed to have included bank statements, Social Security numbers, financial statements, contact information, email and telephone addresses, mortgage amounts and payments, and other information provided by class members to obtain or maintain a mortgage, it said.

Because loanDepot holds private information, Sullivan and class members are at “imminent and continuing risk of harm" from “fraud, identity theft and related harm” caused by the breach and “should remain vigilant for any signs of fraud or identity theft for the indefinite future,” the complaint said. Victims will have to undertake “time-consuming and often costly efforts to mitigate the actual and potential harm” caused by the breach, including placing freezes and alerts with credit reporting agencies; contacting financial institutions; modifying financial accounts; reviewing and monitoring credit reports and accounts for unauthorized activity; changing passwords on potentially impacted websites and applications; and requesting and maintaining accurate records, it said.

The January loanDepot announcement came on the heels of its May 2023 disclosure of an August 2022 breach, also resulting from a cyberattack, the complaint said. The defendant’s “failures to ensure that its servers and systems were adequately secure fell far short of its obligations” to protect Sullivan’s private information, while exposing her to “the serious risk of fraud and identity theft,” it said. Sullivan and class members must take “immediate and time-consuming action to protect themselves from such identity theft and fraud,” it said.

LoanDepot’s failure to protect customers' private information violates its security policy that states the company “takes strong steps to safeguard your personal and sensitive information through industry standard physical, electronic and operational policies and practices,” the complaint said. “All data that is considered highly confidential” can only be “read or written through defined service access points, the use of which is password-protected,” the policy says, touting loanDepot’s “combination of network firewalls and severs with tested operating systems, all housed in a secure facility.”

Sullivan's claims include negligence and negligence per se; breach of contract, implied contract and fiduciary duty; violation of California's California Customer Records Act and Unfair Competition Law; unjust enrichment; and invasion of privacy. She seeks actual, statutory and punitive and monetary damages; pre- and post-judgment interest; and attorneys' fees and costs.